Step-by-Step Guide to Enabling Hotpatching in Windows Server 2025

In this step-by-step guide, we will explain how to enable the Hotpatching feature in Windows Server 2025. Hotpatching is a powerful feature in Windows Server 2025 that allows system administrators to apply security updates and patches without requiring a system reboot. This feature minimizes system downtime and ensures continuous server operation. This article covers the activation of Hotpatching in Windows Server 2025, including prerequisites, step-by-step instructions, best practices, and troubleshooting tips.

What is Hotpatching in Windows Server?

As organizations increasingly rely on Windows Server for managing critical business operations, reducing system downtime has become essential. One of the latest innovations addressing this need is Hotpatching.

Microsoft initially introduced a preview version of Hotpatching for Windows Server 2022 virtual machines in Microsoft Azure (requiring Azure Windows Server 2022 ISOs). As this technology evolved, it expanded to more platforms, including physical servers. Hotpatching, currently in public preview, enables system administrators to apply security updates and patches with significantly fewer reboots throughout the year. Microsoft is expected to release this feature publicly in mid-2025.

For clarity, Hotpatching in Windows Server 2025 can run on virtualization platforms other than Hyper-V, such as VMware and any platform that supports Microsoft’s Virtualization-Based Security (VBS) feature. (More details below.)

Annual Hotpatching Schedule

Instead of requiring twelve mandatory reboots per year, Hotpatching reduces scheduled reboots to just four times annually. For Patch Tuesday in January, April, July, and October, IT professionals can expect cumulative monthly updates requiring a reboot. However, in other months, in-memory processes are updated via special security updates through Hotpatching—ensuring faster installations with no reboots required!

Hotpatching updates are lightweight, requiring fewer CPU resources during installation and using smaller binary files, allowing for faster patch deployment. This makes patch coordination much more convenient for IT professionals.

Prerequisites for Hotpatching in Windows Server

Before enabling Hotpatching, several key prerequisites must be met:

1. Windows Server Version

   • You must be running Windows Server 2025 (Standard or Datacenter edition). While this may be a challenge for some organizations, this transition is part of Microsoft’s long-term strategy to gradually introduce this technology.

2. Internet Connection / Azure Arc

   • A stable and reliable internet connection is required to access Microsoft update servers.

   • You must connect Windows Server to Azure Arc using the Azure Connected Machine Agent (CMA).

3. Virtualization-Based Security (VBS)

   • VBS is essential for Hotpatching to function. It uses hardware virtualization to create an isolated environment known as a secure core, which protects system processes and sensitive data from unauthorized access.

   • Since Hotpatching updates live memory code without requiring a reboot, a secure environment provided by VBS must be enabled to ensure that updates are applied securely and correctly.

Enabling Virtualization-Based Security (VBS) and Hotpatching in Windows Server 2025

To enable Hotpatching in Windows Server 2025, you must first ensure that VBS (Virtualization-Based Security) is activated. VBS helps apply Hotpatching updates correctly. Follow these steps to enable VBS and then Hotpatching:

Step 1: Check VBS Status

To check if VBS is enabled, run the following command:

1. Open Start Menu -> Run or Command Prompt, then type msinfo32.exe.

2. In the System Summary window, look for Virtualization-Based Security.

3. If the status is not set to "Running," you need to enable VBS.

Step 2: Enable VBS (If Disabled)

If VBS is not enabled, follow these steps:

1. Run the following command in PowerShell:

   • Open PowerShell as an administrator.

   • Enter the following command to update the registry:

     Reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

2. Restart the system:

   • After executing the command, restart the system.

3. Verify VBS Status:

   • After rebooting, run msinfo32.exe again and ensure Virtualization-Based Security is set to "Running."

Step 3: Enable Hotpatching in Windows Server 2025

1. Log in to Azure Portal

   • Open Azure Portal and navigate to your server.

2. Enable Hotpatching

   • In the Capabilities section, locate Hotpatching (preview) and enable it.

   • If VBS is enabled, Azure should confirm its status as "On."

3. Opt-in to Receive Monthly Hotpatches

   • Check the box labeled “I want to license this Windows Server to receive monthly hotpatches.”

   • Click Confirm to proceed.

Step 4: Complete the Enrollment Process

Once Hotpatching is enabled, the enrollment process will begin. Wait for the process to complete.

After completion, your server will be ready to receive Hotpatches. Expect the first Hotpatch updates in February and March, while subsequent updates will only require a reboot during scheduled Patch Tuesday releases.

Verify Hotpatching Activation in Windows Server

To confirm that your server is set up for Hotpatching, use the following methods:

Method 1: Check via Azure Portal

1. Log into Azure Portal and navigate to your server.

2. Go to Operations -> Updates.

3. Click Check for updates at the top of the page to retrieve pending updates.

4. The Hotpatch section should display the status as Enabled.

Method 2: Check via Windows Update

1. Open Windows Update on your server.

2. Click on Update History.

3. Look for updates labeled (Hotpatches) to confirm that Hotpatch-capable updates have been installed.

These methods ensure that your server is ready for Hotpatching and capable of receiving updates seamlessly without frequent reboots.

By following this guide, you can successfully enable and utilize Hotpatching in Windows Server 2025, reducing downtime while maintaining high security and efficiency.